From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Tue, 7 Nov 2017 19:33:16 +0000 (-0500)
Subject: LP#1671635: escape some values to avoid XSS
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=689171ab8e35da2ab7ef5e89c7e1dade3f38a753;p=contrib%2FConifer.git

LP#1671635: escape some values to avoid XSS

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index fc59a0dd06..76d8d9e11d 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -57,9 +57,9 @@ function toggleActivationDate() {
 
         <!-- Adding hidden fields so that parameters are maintained in
         searchbar throughout the place hold process. -->
-        <input type="hidden" name="locg" value="[% CGI.param('locg') %]" />
-        <input type="hidden" name="qtype" value="[% CGI.param('qtype') %]" />
-        <input type="hidden" name="query" value="[% CGI.param('query') %]" />
+        <input type="hidden" name="locg" value="[% CGI.param('locg') | html %]" />
+        <input type="hidden" name="qtype" value="[% CGI.param('qtype') | html %]" />
+        <input type="hidden" name="query" value="[% CGI.param('query') | html %]" />
         [%
             usr_barcode = CGI.param('usr_barcode') | html;
             is_requestor = CGI.param('is_requestor');